PingOne for Enterprise Release Notes - PingOne for Enterprise

PingOne for Enterprise

bundle
pingoneforenterprise
ft:publication_title
PingOne for Enterprise
Product_Version_ce
PingOne for Enterprise
category
Product
pingone
ContentType_ce

New features and improvements in PingOne for Enterprise, PingOne for Enterprise for Managed Service Providers, PingOne SSO for SaaS Apps, PingOne SSO for SaaS Apps with Managed Accounts, and AD Connect.

May 2024

SCIM SaaS Provisioner

PingOne for Enterprise
Fixed

Fixed a defect that caused a JSON parsing error when non-standard fields are present in the SCIM 2.0 Enterprise User Schema Extension.

The following known limitations apply:

  • User attributes cannot be cleared after they have been set. They can only be updated.
  • Outbound Group Provisioning and Memberships are not supported.
  • Patch updates to SCIM-enabled target applications are not supported.
  • There is a limit of one value per type (such as home, work, or other) for multivalue attributes such as email, phone, and address.
  • Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attribute such as such as email, phone, and address. Also, existing SaaS attributes might not be removed during an Update, and the desired value might not be correctly set as primary.
  • SCIM-compliant service providers can implement or interpret SCIM standards differently, which can result in behavior that is not consistent with the intended use of the SCIM SaaS Provsioner.

PingOne Connector

PingOne for Enterprise
New

Added support for the Australia region.

The following known limitations apply:

  • Clearing fields on updates is not supported.
  • Multivalued attributes (e.g. emails or addresses) are not supported. Multiple values appear as a single array value in PingOne.
  • Custom attributes are set when the user is initially created, and are never updated.

March 2024

Country data for SSO report

PingOne for Enterprise
New

Added a new column to the SSO report listing the country where the SSO event originated.

To learn more, see PingOne for Enterprise report event reference.

November 2023

ServiceNow Connector 2.3

PingOne for Enterprise
New

Added support for the Utah and Vancouver versions of ServiceNow.

The following known limitations apply:

  • Outbound Group Provisioning and Memberships are not supported.
  • User attributes cannot be cleared after they have been set. They can only be updated.
  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID).

    This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with preexisting users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked.

    Currently if users exist in ServiceNow without a username that will cause errors in provisioning, resolve this by ensuring every user has this field populated even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must only contain URL-safe characters.
  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.
  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.
  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed. This may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow.

    For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.
  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.
  • For the department and location parameters, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.
  • The city attribute mapping is not supported for the local repository.

For more information, see Adding ServiceNow to Your PingOne for Enterprise Dock.

July 2023

Webex Connector 2.3.0

PingOne for Enterprise
New

Updated the SiteID configuration field to be optional.

For more information, see Adding WebEx to Your PingOne for Enterprise Dock.

Zoom Connector 1.3.3

PingOne for Enterprise
New
Added support for Server-to-Server OAuth applications. This is an alternative method to create a connection to Zoom due to the deprecation of JSON Web Token (JWT) applications.

For more information, see Adding Zoom to Your PingOne for Enterprise Dock.

May 2023

Manual PingOne for Enterprise connections

PingOne SSO for SaaS Apps
Info
It is no longer possible to connect a PingOne for Enterprise tenant and a PingOne SSO for SaaS Apps tenant by manually exchanging metadata. This kind of connection was never supported, and can cause duplicate entity ID errors.

You should always use an invited connection to connect your PingOne SSO for SaaS Apps application to PingOne for Enterprise.

April 2023

Users by Service search

PingOne for Enterprise
Info
The Users by Service search behavior has changed from returning results that contain the search string to returning results that begin with the username.

For more information, see Monitoring service activity.

ServiceNow Tokyo

PingOne for Enterprise
Improved
Added support for the Tokyo version of ServiceNow.

The following known limitations apply:

  • Outbound Group Provisioning and Memberships are not supported.
  • User attributes cannot be cleared after they have been set. They can only be updated.
  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID).

    This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with preexisting users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked.

    Currently if users exist in ServiceNow without a username that will cause errors in provisioning, resolve this by ensuring every user has this field populated even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must only contain URL-safe characters.
  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.
  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.
  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed. This may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow.

    For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.
  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.
  • For the department and location parameters, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.

March 2023

Email communications

PingOne for Enterprise, PingOne SSO for SaaS Apps
Info
Updated our email communications to change the product name from "PingOne" to "PingOne for Enterprise".

This change affects both PingOne for Enterprise and PingOne SSO for SaaS Apps licenses, and will include all emails from Ping, including certificate expiration and password expiration messages.

Email templates that you have customized for your customer accounts are not affected by this change.

If you have any email filters in place, update them to reflect this change.

February 2023

PingID license management for customer accounts

PingOne for Enterprise
New

Added the ability to manage PingID licensing for your PingOne for Enterprise for Managed Service Providers customer accounts.

Note:

This feature is in limited release. To request access to this feature, open a support case.

For more information, see Administer customer accounts.

Google Workspace Connector 3.2.1

PingOne for Enterprise
Improved
  • Added support for the addressFormatted user attribute.

    addressFormatted is a full and unstructured postal address. This single-string attribute can include any values like: PO Box, city, state/province, ZIP/postal code, or country/region.

  • Fixed an issue that caused new users not to be provisioned with group membership.
  • Fixed an issue that caused users not to be disabled by a disable deprovision action.

For more information, see the Google Workspace Provisioner documentation.

December 2022

Improved messaging for expired user invitations

PingOne for Enterprise
Improved

Updated the messaging for the following PingOne for Enterprise Directory invited user scenarios:

If an invited user clicks on an expired invitation link, they are redirected to the PingOne for Enterprise sign-on page with an error message directing them to request a new invitation from an administrator. For more information, see Add directory users.

If an invited user has not yet been approved, and they try to use the Forgot Password link, they will see an error message that their account is still awaiting approval.

SCIM SaaS Provisioner 1.5

PingOne for Enterprise
Improved

Added the homeEmail and otherEmail attributes.

The following known limitations apply:

  • Clearing fields on updates is not supported.
  • Outbound Group Provisioning and Memberships are not supported.
  • Patch updates to SCIM-enabled target applications are not supported.
  • There is a limit of one value per type (such as home, work, or other) for multivalue attributes such as email, phone, and address.
  • Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attribute such as such as email, phone, and address. Also, existing SaaS attributes might not be removed during an Update, and the desired value might not be correctly set as primary.
  • SCIM-compliant service providers can implement or interpret SCIM standards differently, which can result in behavior that is not consistent with the intended use of the SCIM SaaS Provsioner.

For more information, see the SCIM Provisioner documentation.

Zoom Connector 1.2

PingOne for Enterprise
Improved

We added a feature to restore the user's Zoom license when the user is re-enabled.

The following known issues apply:

  • The Zoom Provisioner does not support group provisioning.
  • User attributes cannot be cleared once set. They can only be updated.
  • Zoom only allows a single value for the Roles attribute.
  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.
  • Zoom does note allow attribute updates for users with a "disabled" status. To update attributes, re-enable the user first.
  • Zoom does not allow users with the admin role to be disabled or deleted. Change the user's role first.

For more information, see the Zoom Provisioner documentation.

November 2022

Export a report of applications by group access

PingOne for Enterprise
Improved

You can now export a .csv report of configured applications and the user groups assigned to access them. This can be useful for filtering purposes if you have a large number of active applications.

For more information, see Exporting a report of applications by group.

September 2022

Managed accounts certificate notifications

PingOne for Enterprise, PingOne SSO for SaaS Apps
Improved

If you have a PingOne for Enterprise for Managed Service Providers or PingOne SSO for SaaS Apps with Managed Accounts license, you can now enable your administrators to receive email notifications when your customer accounts have certificates that are about to expire or have expired.

For more information, see Editing administrative roles, permissions, and notifications.

August 2022

Custom application and customer connection secrets

PingOne SSO for SaaS Apps
New

You can now generate client secret values for each application and customer connection API connection.

This ability improves security over using a single set of client credentials for all connections.

Note:

This feature is currently in limited release. To request access to this feature, open a support case.

For more information, see Creating or editing application-specific credentials and Creating or editing additional Connection API credentials.

PingOne for Enterprise Directory self-registration

PingOne for Enterprise
Improved

You can now configure how long the email invitation remains valid for new self-registering PingOne for Enterprise Directory users.

You can set the duration between 1 hour and 168 hours. The default duration is 24 hours.

For more information, see Allow self registration for new directory users.

Custom Entity ID

PingOne SSO for SaaS Apps
Info

The ability to define a custom entity ID for applications that are enabled through PingOne SSO for SaaS Apps is now available to all customers.

If a custom entity ID is in use by a non-multiplexed connection, it cannot be changed.

For more information, see Add or update other applications.

July 2022

ServiceNow Connector 2.3

PingOne for Enterprise
Improved

Added support for the Rome and San Diego versions of ServiceNow.

The following known issues apply:

  • Outbound Group Provisioning and Memberships are not supported.
  • User attributes cannot be cleared once set. They can only be updated.
  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID). This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with pre-existing users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked. Currently, if users exist in ServiceNow without a username that will cause errors in provisioning. You can resolve this by ensuring every user has the username field populated even if they are not intended to be managed by the provisioner.
  • When provisioning users, the username attribute must only contain URL-safe characters.
  • When synchronizing roles with users, the role attribute must contain only URL-safe charcters.
  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.
  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed, which may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow. For more information, see Adding the Ping Identity provisioning role in ServiceNow.
  • When mapping the roles attribute multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.
  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.
  • For the department and location objects, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.

March 2022

PingID admins multi-factor authentication (MFA) bypass

PingOne for Enterprise
New

Added an optional permission to allow PingID Device Administrators to grant temporary MFA bypass to users.

To enable this permission, go to Account > Administrators > Permissions and select Allow Bypass.

For more information, see Administrative roles.

Google Workspace Provisioner improvements

PingOne for Enterprise
Improved

Added the following improvements to the Google Workspace Provisioner:

  • Added the ability to disable and delete users
  • Added the ability to provision disabled users
  • Added the ability to remove user actions
  • Added support for Google Admin SDK 1.32.1

The following known issues apply:

  • User attributes cannot be cleared once set.
  • Google does not properly handle creating users with an invalid addressCountry value.
  • The Provisioner sends the value of work for the Organization type. However Google does not retain this value. and as a result the Organization type has no value.
  • Google treats certain user attributes as complex data sets:
    • Address (address* attributes)
    • Organization (org* attributes)
    • Phone (work* attributes)

    Any unmapped or empty fields within a complex data set will be cleared in the corresponding Google account.

New report type

PingOne for Enterprise
New

Added a new report type for PingOne for Enterprise for Managed Service Providers accounts.

The SSO Summary by Customer report displays unique users and SSO transactions for each of your customer accounts.

For more information, see PingOne for Enterprise report types.

New report type

PingOne for Enterprise
New

The SSO User Summary report displays a list of all unique users who have used SSO during the defined period.

Note:

This feature is currently in limited release. To request access to this feature, open a support case.

For more information, see PingOne for Enterprise report types.

Application integration testing change

PingOne SSO for SaaS Apps
Info

Changed the tenant used to generate test users from PingFederate to PingOne for Enterprise Directory.

Test user IDs and passwords will no longer automatically populate on the test IdP login site. You can find a complete list of test user IDs and their passwords in the documentation.

For more information, see Testing your application using the built-in IdP.

REST application customization

PingOne SSO for SaaS Apps
New

Added an option to allow your customers to customize the Default Application URL and Error URL when they configure your REST application from the application catalog.

For more information, see Add or update other applications.